M0B notes

Search CTRL + K

M0B notes

Search CTRL + K

☁️ Cloud Pentest

AWS

flAWS

flaws.cloud

flaws2.cloud

Theory

Pentesting APIs & Lambdas

Pentesting ECRs

Pentesting S3 Buckets

Learn AWS pentesting

🌐 Web Pentest - PortSwigger Labs

Access Control

01 - Unprotected admin functionality

02 - Unprotected admin functionality with unpredictable URL

03 - User role controlled by request parameter

04 - User role can be modified in user profile

05 - User ID controlled by request parameter

06 - User ID controlled by request parameter, with unpredictable user IDs

07 - User ID controlled by request parameter with data leakage in redirect

08 - User ID controlled by request parameter with password disclosure

09 - Insecure direct object references

10 - URL-based access control can be circumvented

11 - Method-based access control can be circumvented

12 - Multi-step process with no access control on one step

13 - Referer-based access control

APIs

Exploiting server-side parameter pollution in a REST URL

Authentication

01 - Username enumeration via different responses

02 - 2FA simple bypass

03 - Password reset broken logic

04 - Username enumeration via subtly different responses

05 - Username enumeration via response timing

06 - Broken brute-force protection, IP block

07 - Username enumeration via account lock

08 - 2FA broken logic

09 - Brute-forcing a stay-logged-in cookie

10 - Offline password cracking

11 - Password reset poisoning via middleware

12 - Password brute-force via password change

Business Logic

01 - Excessive trust in client-side controls

02 - High-level logic vulnerability

03 - Inconsistent security controls

04 - Flawed enforcement of business rules

05 - Low-level logic flaw

06 - Inconsistent handling of exceptional input

07 - Weak isolation on dual-use endpoint

08 - Insufficient workflow validation

09 - Authentication bypass via flawed state machine

10 - Infinite money logic flaw

11 - Authentication bypass via encryption oracle

Clickjacking

1 - Basic clickjacking with CSRF token protection

2 - Clickjacking with form input data prefilled from a URL parameter

3 - Clickjacking with a frame buster script

4 - Exploiting clickjacking vulnerability to trigger DOM-based XSS

5 - Multistep clickjacking

CORS

Practice

1 - CORS vulnerability with basic origin reflection

2 - CORS vulnerability with trusted null origin

3 - CORS vulnerability with trusted insecure protocols

CSRF

01 - CSRF vulnerability with no defenses

02 - CSRF where token validation depends on request method

03 - CSRF where token validation depends on token being present

04 - CSRF where token is not tied to user session

05 - CSRF where token is tied to non-session cookie

06 - CSRF where token is duplicated in cookie

07 - SameSite Lax bypass via method override

08 - SameSite Strict bypass via client-side redirect

09 - SameSite Strict bypass via sibling domain

10 - SameSite Lax bypass via cookie refresh

11 - CSRF where Referer validation depends on header being present

12 - CSRF with broken Referer validation

DOM-Based

Practice

1 - DOM XSS using web messages

2 - DOM XSS using web messages and a JavaScript URL

3 - DOM XSS using web messages and JSON.parse

4 - DOM-based open redirection

5 - DOM-based cookie manipulation

6 - Exploiting DOM clobbering to enable XSS

7 - Clobbering DOM attributes to bypass HTML filters

Theory

Essential Skills

1 - Discovering vulnerabilities quickly with targeted scanning

2 - Scanning non-standard data structures

Exams 📝

Cosas que hacer si no van los escaneos

Practice Exam 1

Practice Exam 2

File Uploads

2 - Web shell upload via Content-Type restriction bypass

3 - Web shell upload via path traversal

4 - Web shell upload via extension blacklist bypass

5 - Web shell upload via obfuscated file extension

6 - Remote code execution via polyglot web shell upload

GraphQL

Practice

1 - Accessing private GraphQL posts

2 - Accidental exposure of private GraphQL fields

3 - Finding a hidden GraphQL endpoint (& Bypassing Introspection defenses)

4 - Bypassing GraphQL brute force protections

5 - Performing CSRF exploits over GraphQL

Theory

Como testear graphQL

What is GraphQL? | Web Security Academy

Working with GraphQL in Burp Suite

HTTP Host header

1 - Basic password reset poisoning

2 - Host header authentication bypass

3 - Web cache poisoning via ambiguous requests

4 - Routing-based SSRF

5 - SSRF via flawed request parsing

6 - Host validation bypass via connection state attack

Cabeceras para spoofear Host

HTTP Request Smuggling

01 - HTTP request smuggling, basic CL.TE vulnerability

02 - HTTP request smuggling, basic TE.CL vulnerability

03 - HTTP request smuggling, obfuscating the TE header

04 - HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

05 - HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

06 - Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

07 - Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

08 - Exploiting HTTP request smuggling to reveal front-end request rewriting

09 - Exploiting HTTP request smuggling to capture other users' requests

10 - Exploiting HTTP request smuggling to deliver reflected XSS

11 - Response queue poisoning via H2.TE request smuggling

12 - H2.CL request smuggling

13 - HTTP2 request smuggling via CRLF injection

14 -HTTP2 request splitting via CRLF injection

15 - CL.0 request smuggling

Information Disclosure

1 - Information disclosure in error messages

2 - Information disclosure on debug page

3 - Source code disclosure via backup files

4 - Authentication bypass via information disclosure

5 - Information disclosure in version control history

Insecure Deserialization

1 - Modifying serialized objects

2 - Modifying serialized data types

3 - Using application functionality to exploit insecure deserialization

4 - Arbitrary object injection in PHP

5 - Exploiting Java deserialization with Apache Commons

6 - Exploiting PHP deserialization with a pre-built gadget chain

7 - Exploiting Ruby deserialization using a documented gadget chain

Java Deserialization Scanner

JWT

Use JWT editor from Burpsuite

Ways to Hack JWT

LLMs

1 - Exploiting LLM APIs with excessive agency

2 - Exploiting vulnerabilities in LLM APIs

3 - Indirect prompt injection

NOSQLi

1 - Detecting NoSQL injection

2 - Exploiting NoSQL operator injection to bypass authentication

3 - Exploiting NoSQL injection to extract data

4 - Exploiting NoSQL operator injection to extract unknown fields

Oauth

1 - Authentication bypass via OAuth implicit flow

2 - SSRF via OpenID dynamic client registration

3 - Forced OAuth profile linking

4 - OAuth account hijacking via redirect_uri

5 - Stealing OAuth access tokens via an open redirect

Path Traversal

1 - File path traversal, simple case

2 - File path traversal, traversal sequences blocked with absolute path bypass

3 - File path traversal, traversal sequences stripped non-recursively

4 - File path traversal, traversal sequences stripped with superfluous URL-decode

5 - File path traversal, validation of start of path

6 - File path traversal, validation of file extension with null byte bypass

Prototype Pollution

1 - Client-side prototype pollution via browser APIs

2 - DOM XSS via client-side prototype pollution

3 - DOM XSS via an alternative prototype pollution vector

4 - Client-side prototype pollution via flawed sanitization

5 - Client-side prototype pollution in third-party libraries

6 - Privilege escalation via server-side prototype pollution

7 - Detecting server-side prototype pollution without polluted property reflection

8 - Bypassing flawed input filters for server-side prototype pollution

9 - Remote code execution via server-side prototype pollution

Race Conditions

1 - Limit overrun race conditions

2 - Bypassing rate limits via race conditions

3 - Multi-endpoint race conditions

4 - Single-endpoint race conditions

RCE

1 - OS command injection, simple case

2 - Blind OS command injection with time delays

3 - Blind OS command injection with output redirection

4 - Blind OS command injection with out-of-band interaction

5 - Blind OS command injection with out-of-band data exfiltration

SQLi

01 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

02 - SQL injection vulnerability allowing login bypass

03 - SQL injection attack, querying the database type and version on Oracle

04 - SQL injection attack, querying the database type and version on MySQL and Microsoft

05 - SQL injection attack, listing the database contents on non-Oracle databases

06 - SQL injection attack, listing the database contents on Oracle

07 - SQL injection UNION attack, determining the number of columns returned by the query

08 - SQL injection UNION attack, finding a column containing text

09 - SQL injection UNION attack, retrieving data from other tables

10 - SQL injection UNION attack, retrieving multiple values in a single column

11 - Blind SQL injection with conditional responses

12 - Blind SQL injection with conditional errors

13 - Visible error-based SQL injection

14 - Blind SQL injection with time delays

15 - Blind SQL injection with time delays and information retrieval

16 - Blind SQL injection with out-of-band interaction

17 - Blind SQL injection with out-of-band data exfiltration

18 - SQL injection with filter bypass via XML encoding

SSRF

1 - Basic SSRF against the local server

2 - Basic SSRF against another back-end system

3 - Blind SSRF with out-of-band detection

4 - SSRF with blacklist-based input filter

5 - SSRF with filter bypass via open redirection vulnerability

SSTI

1 - Basic server-side template injection

2 - Basic server-side template injection (code context)

3 - Server-side template injection using documentation

4 - Server-side template injection in an unknown language with a documented exploit

5 - Server-side template injection with information disclosure via user-supplied objects

Web Cache Deception

1 - Exploiting path mapping for web cache deception

2 - Exploiting path delimiters for web cache deception

3 - Exploiting origin server normalization for web cache deception

4 - Exploiting cache server normalization for web cache deception

Comparación Deception VS Poisoning

Web Cache Poisoning

Practice

1 - Web cache poisoning with an unkeyed header

2 - Web cache poisoning with an unkeyed cookie

3 - Web cache poisoning with multiple headers

4 - Targeted web cache poisoning using an unknown header

5 - Web cache poisoning via an unkeyed query string

6 - Web cache poisoning via an unkeyed query parameter

7 - Parameter cloaking

8 - Web cache poisoning via a fat GET request

9 - URL normalization

Theory

WebSockets

1 - Manipulating WebSocket messages to exploit vulnerabilities

2 - Cross-site WebSocket hijacking

3 - Manipulating the WebSocket handshake to exploit vulnerabilities

XSS

01 - Reflected XSS into HTML context with nothing encoded

02 - Stored XSS into HTML context with nothing encoded

03 - DOM XSS in document.write sink using source location.search

04 - DOM XSS in innerHTML sink using source location.search

05 - DOM XSS in jQuery anchor href attribute sink using location.search source

06 - DOM XSS in jQuery selector sink using a hashchange event

07 - Reflected XSS into attribute with angle brackets HTML-encoded

08 - Stored XSS into anchor href attribute with double quotes HTML-encoded

09 - Reflected XSS into a JavaScript string with angle brackets HTML encoded

10 - DOM XSS in document.write sink using source location.search inside a select element

11 - DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

12 - Reflected DOM XSS (Eval)

13 - Stored DOM XSS (Bad Sanitization)

14 - Reflected XSS into HTML context with most tags and attributes blocked

15 - Reflected XSS into HTML context with all tags blocked except custom ones

16 - Reflected XSS with some SVG markup allowed

17 - Reflected XSS in canonical link tag

18 - Reflected XSS into a JavaScript string with single quote and backslash escaped

19 - Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

21 - Exploiting cross-site scripting to steal cookies

22 - Exploiting cross-site scripting to capture passwords

Another XSS payloads

How to escape from a JavaScript String

XXE

1 - Exploiting XXE using external entities to retrieve files

2 - Exploiting XXE to perform SSRF attacks

3 - Blind XXE with out-of-band interaction

4 - Blind XXE with out-of-band interaction via XML parameter entities

5 - Exploiting blind XXE to exfiltrate data using a malicious external DTD

6 - Exploiting blind XXE to retrieve data via error messages

7 - Exploiting XInclude to retrieve files

8 - Exploiting XXE via image file upload

How to prepare for the Burp Suite Certified Practitioner exam | Web Security Academy

🎩 Real Life Pentest

Pentest Externo

Pentest Interno

🐉 N3thical

getent group N3thical

👨‍💻 Network Pentest

➕ Extras

CMS

Atlassian Confluence

H2 Database Console

PHP - phpmyadmin

Zookeeper - Exhibitor

Gestores de contraseña y cifrados

Local File Inclusion

⬆️ Privilege Escalation

Active Directory

AD Certificate Services

Directorio Activo

Grupos para escalar en AD

🔌Pentest by Ports

25,587,465 - SMTP

80,443 - HTTP & HTTPS

161,162,10161,10162 - SNMP

389,636,3268,3269 - LDAP

554,8554 - RTSP

631 - Internet Printing Protocol

1433 - Microsoft SQL Server

3306,33060 - MySQL

3389,3391,5938 - RDP

5895,5896 - winRM

61616, 61613, 61614, 1883, 8883, 5672, 8161 - Apache ActiveMQ

📦 Writeups of HTB machines

Linux

Windows

Enter to select

to navigate

ESC to close

04 - SQL injection attack, querying the database type and version on MySQL and Microsoft

'+UNION+SELECT+@@version,@@version+--+-